Access Analyzer
API version: 2019-11-01
Auth
AWS SigV4
Base URL
Not specified.
Setup
- 1. Configure auth: AWS SigV4
- GET /analyzed-resource -- verify access
- POST /policy/check-access-not-granted -- create first check-access-not-granted
Endpoints
35 endpoints across 10 groups. See references/api-spec.lap for full details.
archive-rule
| Method | Path | Description |
|---|
| PUT | /archive-rule | Retroactively applies the archive rule to existing findings that meet the archive rule criteria. |
policy
| Method | Path | Description |
|---|
| PUT | /policy/generation/{jobId} | Cancels the requested policy generation. |
| POST |
/policy/check-access-not-granted | Checks whether the specified access isn't allowed by a policy. |
| POST | /policy/check-no-new-access | Checks whether new access is allowed for an updated policy when compared to the existing policy. You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the existingPolicyDocument request parameter. |
| POST | /policy/check-no-public-access | Checks whether a resource policy can grant public access to the specified resource type. |
| GET | /policy/generation/{jobId} | Retrieves the policy that was generated using StartPolicyGeneration. |
| GET | /policy/generation | Lists all of the policy generations requested in the last seven days. |
| PUT | /policy/generation | Starts the policy generation request. |
| POST | /policy/validation | Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices. |
access-preview
| Method | Path | Description |
|---|
| PUT | /access-preview | Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions. |
| GET |
/access-preview/{accessPreviewId} | Retrieves information about an access preview for the specified analyzer. |
| POST | /access-preview/{accessPreviewId} | Retrieves a list of access preview findings generated by the specified access preview. |
| GET | /access-preview | Retrieves a list of access previews for the specified analyzer. |
analyzer
| Method | Path | Description |
|---|
| PUT | /analyzer | Creates an analyzer for your account. |
| PUT |
/analyzer/{analyzerName}/archive-rule | Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide. |
| DELETE | /analyzer/{analyzerName} | Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action. |
| DELETE | /analyzer/{analyzerName}/archive-rule/{ruleName} | Deletes the specified archive rule. |
| GET | /analyzer/{analyzerName} | Retrieves information about the specified analyzer. |
| GET | /analyzer/{analyzerName}/archive-rule/{ruleName} | Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide. |
| GET | /analyzer | Retrieves a list of analyzers. |
| GET | /analyzer/{analyzerName}/archive-rule | Retrieves a list of archive rules created for the specified analyzer. |
| PUT | /analyzer/{analyzerName}/archive-rule/{ruleName} | Updates the criteria and values for the specified archive rule. |
recommendation
| Method | Path | Description |
|---|
| POST | /recommendation/{id} | Creates a recommendation for an unused permissions finding. |
| GET |
/recommendation/{id} | Retrieves information about a finding recommendation for the specified analyzer. |
analyzed-resource
| Method | Path | Description |
|---|
| GET | /analyzed-resource | Retrieves information about a resource that was analyzed. |
| POST |
/analyzed-resource | Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers. |
finding
| Method | Path | Description |
|---|
| GET | /finding/{id} | Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action. |
| POST |
/finding | Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide. |
| PUT | /finding | Updates the status for the specified findings. |
findingv2
| Method | Path | Description |
|---|
| GET | /findingv2/{id} | Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action. |
| POST |
/findingv2 | Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide. |
tags
| Method | Path | Description |
|---|
| GET | /tags/{resourceArn} | Retrieves a list of tags applied to the specified resource. |
| POST |
/tags/{resourceArn} | Adds a tag to the specified resource. |
| DELETE | /tags/{resourceArn} | Removes a tag from the specified resource. |
resource
| Method | Path | Description |
|---|
| POST | /resource/scan | Immediately starts a scan of the policies applied to the specified resource. |
Common Questions
Match user requests to endpoints in references/api-spec.lap. Key patterns:
- - "Update a generation?" -> PUT /policy/generation/{jobId}
- "Create a check-access-not-granted?" -> POST /policy/check-access-not-granted
- "Create a check-no-new-access?" -> POST /policy/check-no-new-access
- "Create a check-no-public-access?" -> POST /policy/check-no-public-access
- "Delete a analyzer?" -> DELETE /analyzer/{analyzerName}
- "Delete a archive-rule?" -> DELETE /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Get access-preview details?" -> GET /access-preview/{accessPreviewId}
- "List all analyzed-resource?" -> GET /analyzed-resource
- "Get analyzer details?" -> GET /analyzer/{analyzerName}
- "Get archive-rule details?" -> GET /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Get finding details?" -> GET /finding/{id}
- "Get recommendation details?" -> GET /recommendation/{id}
- "Get findingv2 details?" -> GET /findingv2/{id}
- "Get generation details?" -> GET /policy/generation/{jobId}
- "List all access-preview?" -> GET /access-preview
- "Create a analyzed-resource?" -> POST /analyzed-resource
- "List all analyzer?" -> GET /analyzer
- "List all archive-rule?" -> GET /analyzer/{analyzerName}/archive-rule
- "Create a finding?" -> POST /finding
- "Create a findingv2?" -> POST /findingv2
- "List all generation?" -> GET /policy/generation
- "Get tag details?" -> GET /tags/{resourceArn}
- "Create a scan?" -> POST /resource/scan
- "Delete a tag?" -> DELETE /tags/{resourceArn}
- "Update a archive-rule?" -> PUT /analyzer/{analyzerName}/archive-rule/{ruleName}
- "Create a validation?" -> POST /policy/validation
- "How to authenticate?" -> See Auth section
Response Tips
- - Check response schemas in references/api-spec.lap for field details
- Create/update endpoints typically return the created/updated object
CLI
CODEBLOCK0
References
- - Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas
Generated from the official API spec by LAP
Access Analyzer
API 版本:2019-11-01
认证
AWS SigV4
基础URL
未指定。
设置
- 1. 配置认证:AWS SigV4
- GET /analyzed-resource -- 验证访问权限
- POST /policy/check-access-not-granted -- 创建第一个检查未授权访问
端点
共10个分组,35个端点。详见 references/api-spec.lap。
archive-rule
| 方法 | 路径 | 描述 |
|---|
| PUT | /archive-rule | 追溯性地将归档规则应用于符合归档规则条件的现有发现结果。 |
policy
| 方法 | 路径 | 描述 |
|---|
| PUT | /policy/generation/{jobId} | 取消请求的策略生成。 |
| POST |
/policy/check-access-not-granted | 检查指定访问是否未被策略允许。 |
| POST | /policy/check-no-new-access | 检查更新后的策略与现有策略相比是否允许新的访问。您可以在GitHub上的IAM Access Analyzer自定义策略检查示例仓库中找到参考策略的示例,并了解如何设置和运行新访问的自定义策略检查。此仓库中的参考策略应传递给existingPolicyDocument请求参数。 |
| POST | /policy/check-no-public-access | 检查资源策略是否可能授予对指定资源类型的公共访问权限。 |
| GET | /policy/generation/{jobId} | 检索使用StartPolicyGeneration生成的策略。 |
| GET | /policy/generation | 列出过去七天内请求的所有策略生成。 |
| PUT | /policy/generation | 启动策略生成请求。 |
| POST | /policy/validation | 请求验证策略并返回发现结果列表。这些发现结果帮助您识别问题,并提供可操作的建议以解决问题,使您能够编写符合安全最佳实践的功能性策略。 |
access-preview
| 方法 | 路径 | 描述 |
|---|
| PUT | /access-preview | 创建访问预览,允许您在部署资源权限之前预览IAM Access Analyzer对资源的发现结果。 |
| GET |
/access-preview/{accessPreviewId} | 检索指定分析器的访问预览信息。 |
| POST | /access-preview/{accessPreviewId} | 检索由指定访问预览生成的访问预览发现结果列表。 |
| GET | /access-preview | 检索指定分析器的访问预览列表。 |
analyzer
| 方法 | 路径 | 描述 |
|---|
| PUT | /analyzer | 为您的账户创建分析器。 |
| PUT |
/analyzer/{analyzerName}/archive-rule | 为指定分析器创建归档规则。归档规则会自动归档符合您创建规则时定义条件的新发现结果。要了解可用于创建归档规则的筛选键,请参阅IAM用户指南中的IAM Access Analyzer筛选键。 |
| DELETE | /analyzer/{analyzerName} | 删除指定的分析器。删除分析器后,当前或特定区域中的账户或组织将禁用IAM Access Analyzer。分析器生成的所有发现结果将被删除。此操作无法撤消。 |
| DELETE | /analyzer/{analyzerName}/archive-rule/{ruleName} | 删除指定的归档规则。 |
| GET | /analyzer/{analyzerName} | 检索指定分析器的信息。 |
| GET | /analyzer/{analyzerName}/archive-rule/{ruleName} | 检索归档规则的信息。要了解可用于创建归档规则的筛选键,请参阅IAM用户指南中的IAM Access Analyzer筛选键。 |
| GET | /analyzer | 检索分析器列表。 |
| GET | /analyzer/{analyzerName}/archive-rule | 检索为指定分析器创建的归档规则列表。 |
| PUT | /analyzer/{analyzerName}/archive-rule/{ruleName} | 更新指定归档规则的条件和值。 |
recommendation
| 方法 | 路径 | 描述 |
|---|
| POST | /recommendation/{id} | 为未使用权限发现结果创建建议。 |
| GET |
/recommendation/{id} | 检索指定分析器的发现结果建议信息。 |
analyzed-resource
| 方法 | 路径 | 描述 |
|---|
| GET | /analyzed-resource | 检索已分析资源的信息。 |
| POST |
/analyzed-resource | 检索由指定外部访问分析器分析的指定类型资源列表。此操作不支持未使用访问分析器。 |
finding
| 方法 | 路径 | 描述 |
|---|
| GET | /finding/{id} | 检索指定发现结果的信息。GetFinding和GetFindingV2都在IAM策略语句的Action元素中使用access-analyzer:GetFinding。您必须具有执行access-analyzer:GetFinding操作的权限。 |
| POST |
/finding | 检索由指定分析器生成的发现结果列表。ListFindings和ListFindingsV2都在IAM策略语句的Action元素中使用access-analyzer:ListFindings。您必须具有执行access-analyzer:ListFindings操作的权限。要了解可用于检索发现结果列表的筛选键,请参阅IAM用户指南中的IAM Access Analyzer筛选键。 |
| PUT | /finding | 更新指定发现结果的状态。 |
findingv2
| 方法 | 路径 | 描述 |
|---|
| GET | /findingv2/{id} | 检索指定发现结果的信息。GetFinding和GetFindingV2都在IAM策略语句的Action元素中使用access-analyzer:GetFinding。您必须具有执行access-analyzer:GetFinding操作的权限。 |
| POST |
/findingv2 | 检索由指定分析器生成的发现结果列表。ListFindings和ListFindingsV2都在IAM策略语句的Action元素中使用access-analyzer:ListFindings。您必须具有执行access-analyzer:ListFindings操作的权限。要了解可用于检索发现结果列表的筛选键,请参阅IAM用户指南中的IAM Access Analyzer筛选键。 |
tags
| 方法 | 路径 | 描述 |
|---|
| GET | /tags/{resourceArn} | 检索应用于指定资源的标签列表。 |
| POST |
/tags/{resourceArn} | 向指定资源添加标签。 |
| DELETE | /tags/{resourceArn} | 从指定资源移除标签。 |
resource
| 方法 | 路径 | 描述 |
|---|
| POST | /resource/scan | 立即开始扫描应用于指定资源的策略。 |
常见问题
将用户请求匹配到 references/api-spec.lap 中的端点。关键模式:
- - 更新生成? -> PUT /policy/generation/{jobId}
- 创建检查未授权访问? -> POST /policy/check-access-not-granted
- 创建检查无新访问? -> POST /policy/check-no-new-access
- 创建检查无公共访问? -> POST /policy/check-no-public-access
- 删除分析器? -> DELETE /analyzer/{analyzerName}
- 删除归档规则? -> DELETE /analyzer/{analyzerName}/archive-rule/{ruleName}
- 获取访问预览详情? -> GET /access-preview/{accessPreviewId}
- 列出所有已分析资源? -> GET /analyzed-resource
- 获取分析器详情? -> GET /analyzer/{analyzerName}
- 获取归档规则详情? -> GET /analyzer/{analyzerName}/archive-rule/{ruleName}
- 获取发现结果详情? -> GET /finding/{id}
- 获取建议详情? -> GET /recommendation/{id}
- 获取发现结果v2详情? -> GET /findingv2/{id}
- 获取生成详情? -> GET /policy/generation/{jobId}
- 列出所有访问预览? -> GET /access-preview
- 创建已分析资源? -> POST /analyzed-resource
- 列出所有分析器? -> GET /analyzer
- 列出所有归档规则? -> GET /analyzer/{analyzerName}/archive-rule
- 创建发现结果? -> POST /finding
- 创建发现结果v2? -> POST /findingv2
- 列出所有生成? -> GET /policy/generation
- 获取标签详情? -> GET /tags/{resourceArn}
- 创建扫描? -> POST /resource/scan
- 删除标签? -> DELETE /tags/{resourceArn}
- 更新归档规则? -> PUT /analyzer/{analyzerName}/archive-rule/{ruleName}
- 创建验证? -> POST /policy/validation
- 如何认证? -> 参见认证部分
响应提示
- - 查看 references/api-spec.lap 中的响应模式以获取字段详情
- 创建/更新端点通常返回创建/更新的对象
CLI
bash
将此规范更新到最新版本
npx @lap-platform/lapsh get access-analyzer -o references/api-spec.lap
搜索相关API
npx @lap
